How is CVE-2026-10067 exploited?

Network reachability (required): The attacker must reach multimon.cgi over the network, typically the router's HTTP management interface. Authentication (required): A low-privilege account on the router is sufficient to invoke the vulnerable CGI handler. Victim interaction (not-required): No user action is needed; the attacker sends the crafted request directly. Attack complexity (info): Attack complexity is low, meaning the overflow triggers reliably without race conditions or environmental tuning.

What is the impact of CVE-2026-10067?

Corrupts stack memory in the multimon.cgi process, which on this class of embedded firmware typically yields arbitrary code execution as the web server user. Reads sensitive router state including credentials, WPA keys, and configuration stored in nvram. Tampers with routing, firewall, and DNS settings to redirect or intercept traffic on the LAN. Crashes the management daemon or the device itself, disrupting connectivity for everyone behind the router.

Back to search

HIGHCVE-2026-10067Published 2026-05-29Modified 2026-05-29CNA VulDB

CVE-2026-10067: Shibby Tomato multimon.cgi sub_90F0 stack-based overflow

A vulnerability was detected in Shibby Tomato 1.28. Impacted is the function sub_90F0 of the file multimon.cgi. The manipulation results in stack-based buffer overflow. The attack can be launched remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A stack-based buffer overflow exists in the sub_90F0 function of multimon.cgi in Shibby Tomato 1.28, an end-of-life router firmware now superseded by FreshTomato. The bug is reachable over the network by any authenticated user, with no victim interaction needed, and successful exploitation lets the attacker corrupt stack memory to read sensitive data, tamper with router state, or crash the device, with code execution likely on this class of embedded target. No upstream fix is available; HarborGuard tracks the advisory and will surface a patched rebuild as soon as one ships.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries and build pipelines, including custom-built images that embed Shibby Tomato or its components.

Available

Triage

Triage is available with the published CVSS v4.0 score of 8.7 (High) weighted against each customer's compliance policy, so the finding is routed to the right inbox inside the customer org with the severity their own rules assign it.

Available

Patch

No upstream fix exists because the product is no longer maintained, so HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment a fix is published; customers with auto-remediation enabled would then automatically get the rebuild, a regression-test run, and a PR opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach multimon.cgi over the network, typically the router's HTTP management interface.
AuthenticationRequired
A low-privilege account on the router is sufficient to invoke the vulnerable CGI handler.
Victim interactionNot required
No user action is needed; the attacker sends the crafted request directly.
Attack complexityDetail
Attack complexity is low, meaning the overflow triggers reliably without race conditions or environmental tuning.

Blast Radius

Corrupts stack memory in the multimon.cgi process, which on this class of embedded firmware typically yields arbitrary code execution as the web server user.
Reads sensitive router state including credentials, WPA keys, and configuration stored in nvram.
Tampers with routing, firewall, and DNS settings to redirect or intercept traffic on the LAN.
Crashes the management daemon or the device itself, disrupting connectivity for everyone behind the router.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the VulDB advisory for any upstream fix, with detection already live for images that bundle Shibby Tomato 1.28. Because the project is end-of-life and superseded by FreshTomato, the durable fix is migration to FreshTomato or another maintained firmware; in the interim, HarborGuard surfaces compensating-control suggestions such as restricting multimon.cgi exposure to trusted management networks, enforcing network-policy isolation around affected devices, and removing low-privilege web accounts that are not strictly required. If an upstream or downstream patch is ever published, a rebuilt image becomes available automatically and, for environments with auto-remediation enabled, a regression-tested PR is opened against affected workloads.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Shibby / Tomato
1.28

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X

References